Man-in-the-Middle Attacks – Pt 1

What is a MITM attack?

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi[1][2]) could insert themselves as a man-in-the-middle.[3]

There are several types of MITM attacks out there: some at a low level (e.g. MAC address or IP spoofing, ARP Poisoning and wireless de-auth methods to name a few) and at higher levels such as DNS redirection, session hijacking, SSL stripping, etc. Some of these can be stopped via the network infrastructure, others not. In this post I’ll focus on just the wired LAN side of things. In future posts I’ll dig into wireless networks and move up the stack to sessions and SSL/TLS. Finally, I’ll discuss a paper I read recently regarding potential vulnerabilities in the implementations of Elliptic Curve Cryptography (ECC) algorithms. Leave a comment with your vote for which you’d like to see next!


There are two main types of attacks at Layer 2/3. The first type being Endpoint or spoofing attacks, where the target is tricked into sending traffic to the attacker who then forwards the traffic to the original or a changed destination. The second type is an known as an in-line attack, where a device is physically placed on the wire in the path of traffic and modifies or just passively monitors the traffic.

One of the most well-know tools for performing a endpoint MITMs attack on a LAN is Ettercap. Here are few examples of the options as shown in the CLI and GUI:

kali:~$ ettercap -P list

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Available plugins :

         arp_cop  1.1  Report suspicious ARP activity
         autoadd  1.2  Automatically add new victims in the target range
      chk_poison  1.1  Check if the poisoning had success
       dns_spoof  1.2  Sends spoofed dns replies
      dos_attack  1.0  Run a d.o.s. attack against an IP address
           dummy  3.0  A plugin template (for developers)
       find_conn  1.0  Search connections on a switched LAN
   find_ettercap  2.0  Try to find ettercap activity
         find_ip  1.0  Search an unused IP address in the subnet
          finger  1.6  Fingerprint a remote host
   finger_submit  1.0  Submit a fingerprint to ettercap's website
  fraggle_attack  1.0  Run a fraggle attack against hosts of target one
       gre_relay  1.0  Tunnel broker for redirected GRE tunnels
     gw_discover  1.0  Try to find the LAN gateway
         isolate  1.0  Isolate an host from the lan
       link_type  1.0  Check the link type (hub/switch)
      mdns_spoof  1.0  Sends spoofed mDNS replies
      nbns_spoof  1.1  Sends spoof NBNS replies & sends SMB challenges with custom challenge
    pptp_chapms1  1.0  PPTP: Forces chapms-v1 from chapms-v2
      pptp_clear  1.0  PPTP: Tries to force cleartext tunnel
        pptp_pap  1.0  PPTP: Forces PAP authentication
      pptp_reneg  1.0  PPTP: Forces tunnel re-negotiation
      rand_flood  1.0  Flood the LAN with random MAC addresses
  remote_browser  1.2  Sends visited URLs to the browser
       reply_arp  1.0  Simple arp responder
    repoison_arp  1.0  Repoison after broadcast ARP
   scan_poisoner  1.0  Actively search other poisoners
  search_promisc  1.2  Search promisc NICs in the LAN
       smb_clear  1.0  Tries to force SMB cleartext auth
        smb_down  1.0  Tries to force SMB to not use NTLM2 key auth
    smurf_attack  1.0  Run a smurf attack against specified hosts
        sslstrip  1.1  SSLStrip plugin
     stp_mangler  1.0  Become root of a switches spanning tree

In-Line attacks can be performed with custom-made devices like the Hak5 Plunder Bug pictured below or a Raspberry Pi with a USB Ethernet adapter.

The Hak5 “Plunder Bug”

Now, let’s take a look at Vesper, an interesting new tool for detecting these attacks.

Detection via echo analysis using Vesper

Vesper is a novel plug-and-play MitM detector for local area networks. Vesper uses a technique inspired from the domain of acoustic signal processing. Analogous to how echoes in a cave capture the shape and construction of the environment, so to can a short and intense pulse of ICMP echo requests model the link between two network hosts. Vesper sends these probes to a target network host and then uses the reflected signal to summarize the channel environment (think sonar). Vesper uses machine learning to profile the link with each host, and to detect when the environment changes. Using this technique, Vesper can detect MitM attacks with high accuracy, to the extent that it can distinguish between identical networking devices.

This really got my propeller spinning. Mimicking the echolocation used by bats, this tool sends a burst of pings (ICMP ECHOs) of various sizes at random timings to a target host. The responses are then measured and key features extracted from the signal. The features are used to create a signature representing the host. Any MITM device (or really any substantive change) in the path between the two, either physically via a bridge like the “Plunder Bug” above or virtually via L2 redirection via ettercap will cause the signature to change and thus raise an alarm. This is pretty cool and the math behind it is awesome. I wonder how sensitive this method is to noise caused by electrical disturbances such as crosstalk or even a loose RJ-45 connector? This method could be useful on closed networks as an alternative/additional method to physical inspection.

Mitigation via proper switch configuration

Of these attack types, most of the Endpoint variants are easily mitigated through configuration of core security functions available in the Cisco Catalyst switch family. While these may be table-stakes for enterprise networks, not all networks or switches utilize

  • Dynamic ARP inspection (DAI)
  • DHCP Snooping
  • IP Source Guard
  • bpduguard/bpdufilter
  • storm control

Configuration details for each of these features can be found here:

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

The in-line bridging variant is best defended against by the use of good physical security measures, including cable locks, secured telecom closets, etc. Further, 802.1x along with MACsec (802.1AE) can be used authenticate the connected endpoints and encrypt the traffic at L2 between the client and the switchport, effectively making captured traffic useless. Of course, the higher level traffic should also be encrypted, but I’ll save that for another post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s